The NGINX developers have released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw in the popular open source web server application. A stack-based buffer overflow is reported to occur in worker processes when handling specially crafted requests – the overflow could be exploited in such a way that it could lead to arbitrary code execution.

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

"The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April's release of the new stable version. A patch is also available for the flaw, which was found by Greg MacManus of iSIGHT Partners Labs.

The updated versions are available to download from the NGINX site. Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is, however, now deemed a legacy version of NGINX."

...
Fixed the "right-of-cursor background color is inverted when we do delete-after-cursor" bug on luna88k wscons(4) console.
Preliminary support added for mvme88k MVME180 and MVME181 boards.
nginx(8) security fix for CVE-2013-2028 (see http://mailman.nginx.org/pipermail/n...13/000112.html).
Stopped binutils rejecting "++" and "--" in expressions, as some versions of gcc(1) emit these.
Don't leak usb(4) information to userland in the case where the actual transfer length is smaller than the requested one and the USBD_SHORT_XFER_OK flag is set.
...